sub2api/.github/workflows/security-scan.yml

name: Security Scan

on:
  push:
  pull_request:
  schedule:
    - cron: '0 3 * * 1'

permissions:
  contents: read

jobs:
  backend-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: backend/go.mod
          check-latest: false
          cache-dependency-path: backend/go.sum
      - name: Verify Go version
        run: |
          go version | grep -q 'go1.25.5'
      - name: Run govulncheck
        working-directory: backend
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck ./...
      - name: Run gosec
        working-directory: backend
        run: |
          go install github.com/securego/gosec/v2/cmd/gosec@latest
          gosec -severity high -confidence high ./...

  frontend-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'pnpm'
          cache-dependency-path: frontend/pnpm-lock.yaml
      - name: Install dependencies
        working-directory: frontend
        run: pnpm install --frozen-lockfile
      - name: Run pnpm audit
        working-directory: frontend
        run: |
          pnpm audit --prod --audit-level=high --json > audit.json || true
      - name: Check audit exceptions
        run: |
          python tools/check_pnpm_audit_exceptions.py \
            --audit frontend/audit.json \
            --exceptions .github/audit-exceptions.yml